Melv1n | Tech product management

PSD2: All you need to know about open banking data

Although PSD2 sounds like a new kind of medicine, it may actually be some kind of medicine for the majority of the payment industry. PSD2 will open up banking data in a way that can accelerate online transactions across the EU and improve buyers confidence cross-border.

Ok, now the interesting part…

This regulation will have an impact on a lot of online businesses within the EU region. If you’re responsible for an online business, you want to read on how to benefit from PSD2 or not lose money instead (section 8). All those goodies within 5 minutes. That’s a steal!

This article describes what PSD2 is, how it works and how it will impact the industry including your company.

Why is PSD2 important for banking data?

Most important change: Opens up banking data to third-parties to give you more opportunities to leverage consumers banking data. Giving businesses and developers also more advantage to compete (with banks themselves) on providing more competitive financial services and products.

More business can now provide payment services Not only financial registered companies can provide payment services through PSD2 regulation. As long as you’re complaint, non-financial businesses can setup services as well.

Gives user control own banking data personal data should be controlled by yourself. Not by banks. That’s the core advantage of PSD2 for everyone on European soil. You can give data to specific providers for a specific purpose of handling your financial banking data.

Still strong regulations means the user will have full control over their data. A users needs to give a service the required consent to process banking data. Regulation is still heavy on payment service providers and the EU will introduce even more heavy regulation for business processing personal data via the GDPR regulation.

What is PSD2?

PSD2 stands for Payment Services Directive 2 and is the successor of its older brother PSD. PSD2 is new regulation on payment services and payment service providers for both the European Union (EU) and European Economic Area (EEA).

Although it sounds like a brand new regulation, it’s not. The PSD2 proposal is actually from July 2013 and it took a few years to get it to pass.

Important difference understand: countries which are members of the EEA or not necessarily EU members. An example of such a country is Norway: it’s Europe but not an EU member.

Why the difference? If you want to have access to the single EU market, you’ll need to have a trading agreement with all EU countries. You can’t negotiate them separately. This agreement concerns goods, services and people (= residence and work). The EEA gives neighboring countries an opportunity to trade with the single EU market without being an EU member.

The goal of PSD2 is to increase European competition and participation in the payments payments industry. This applies also to non-banks. Providing a level playing field for standardizing consumer protection on opening up banking data.

The core fundamental is simple: make access to markets and payments easier to encourage more trading and transactions. The end goal: stimulate the total EU economy.

The deadline for implementation by payment service providers (including banks) in all member states of PSD2 is the 13th of January 2018.

List of PSD2 countries

Austria

Belgium

Bulgaria

Czech Republic

Cyprus

Denmark

Estonia

Finland

France

Germany

Greece

Hungary

Iceland

Ireland

Italy

Latvia

Liechtenstein

Lithuania

Luxembourg

Malta

Netherlands

Norway

Poland,

Portugal

Romania

Slovakia

Slovenia

Spain

Sweden

United Kingdom (until Brexit deadline)

How does PSD2 work?

A simplified version of how PSD2 will work for most user is shown with the illustration below:

First, the financial institutions aka. payment service providers (right) expose data through an application layer. This is also known as an API.

In between the user and the API, there is an intermediate party. This can be a bank or financial institution itself or a third party provider. The last one is referred to as a TPP. When the user grants access, this intermediate can ask the bank to release the data you want them to process.

And finally, the user. The data can be used in a range of solutions to give the user more benefits and efficiency to do a transaction with you as a business or any other party.

What data can be accessed?

PSD2 is not a free-for-all data frenzy. As a payment provider, you can’t actually get all banking data from a person even with their consent. PSD2 opens up banking data for two specific new provider types:

Payment Initiation Service Providers (PISPs)

The initiation service provider’s main purpose is the initiate the payment transaction immediately after purchase and notify the merchant instantly. Because a direct debit transaction can’t be cancelled, it’s certain the transaction is done upon initiation. This way a merchant can deliver purchased goods or services immediately with confidence of getting the required funds.

This is a great alternative for credit cards as the majority of Europeans don’t own a credit card or use on regularly. The majority of most domestic EU transactions are debit card based.

Account Information Service Providers (AISPs)

Account information providers consolidate financial information for a user with the purpose of giving an overview of someone’s financial situation and help them with making decisions on budget, financial planning or switching services (like a better deal on insurance).

How can access be granted?

Security is for many consumers a big concern. You can’t get access to banking data that easy and PSD2 regulations have strict access policies and ways to authenticate a person.

If you’re a service provider, you’ll need to authenticate a user based on 3 security factors:

First factor: something a user already knows. This mostly refers to a user having a password.

Second factor: something only the user possesses. This refers to a device the user owns, like a mobile device which he uses to authenticate.

Third factor: something the user actually is (inherence). This refers to something that distinguishes a user from everyone else. Like a fingerprint or voice recognition.

Once a user passes the SCA process a service provider finally can ask for consent to get the type of data it’s allowed to process.

How is PSD2 regulated?

The highest level development and implementation of PSD2 regulation across the EU market is done by the European Banking Authority (EBA). They make sure it’s standardized and required implementations are followed by all members.

Every country member separately is responsible for enforcing PSD2 regulations in their domestic market. This is done by the local designated authority. In most cases, it’s the same authority that is already regulating the domestic financial market.

When a service provider is reported for activities which are non-complaint, they’ll need to face their local PSD2 authority.

How does PSD2 impact my (online) business?

If you run an online (e-commerce) business and trade within the EU/EEA, you’ll have some changes you need to address from the 13th of January 2018:

Most important: surcharges on payment cards are forbidden. PSD2 forbids surcharging for any online payment cards (even credit cards). So charging extra specifically for using a payment method is not allowed anymore.

Faster payment initiation As a merchant, you can be notified instantly if a user has the required funds for the transaction upon closing the deal and check if the service provider has started the transaction. This means you can dispatch good and services almost instantly, making faster delivery times possible. This is good for business as faster delivery has been proven to increase conversion and improves on your funnel on things like cart abandonment.

Unconditional refund right. Consumers will have the right to request a full refund even when its a disputed payment transaction. Meaning: the total amount will be refunded whether you agree or not.

Enhanced fraud protection. If you receive payment from a fraudulent account, the bill for this unauthorized transaction will be waived for the actual account holder. The rightful account holder will only be obligated to cover a maximum of €50 for any unauthorized transaction. The remaining financial damages will be probably covered by either your business or the payment service provider (depending on the agreed liability by contract).

Protection against in advance crediting. Charging a payment card in advance without explicit consent of the card holder for charges made later (like a hotel charging your card for peanuts you ate during the stay). That will change. If you want to charge a card, you can only credit a charge and block those funds on the payers account with an exact amount that is approved by the same person of the account.

Complaint handling. Payment service providers are obligated to have a point-of-contact for anyone who wants to file a complaint against any transaction they handled for transactions covered by PSD2. They’re also required to respond within 15 business days for any complaint. This means your payment provider can contact you and request you take care of any complaints or pay fines for certain complaint (like chargebacks, etc).

Consumers have more power than ever and strong protection. Keep this in mind and make sure you handle these changes properly within your business.

What effect does Brexit have on PSD2?

This needs some explanation. You need to set apart two elements: financial transactions and trading. If you don’t have any business with the UK, you can skip this part.

Let’s first look at trading: The UK will no longer be part of the EU but they are an EEA member. The first problem is that current Brexit negotiations will decide if the UK remains an EEA member. The UK will lose all access to the single EU market without that membership. It basically means: issues and complex access for UK businesses to trade with EU businesses and vice-versa.

This is the main reason why big corporates are leaving the UK for mainland Europe. The total EU economy is about 10x bigger than the UK economy. You don’t have to be an Excel wizard to figure out the trading risks are too high for enterprise companies not to move.

Now the financial transactions part. Here is finally some good news….

PSD2 actually takes care of outside EU transactions. The regulations refer to it as an one-leg transactions. It means that all transactions based on PSD2 are valid when at least one of the transacting parties is within a PSD2 member state, even with a different currency.

The main issue where Brexit can disrupt UK-EU transactions is the trading agreement. The UK needs a new trading agreement after Brexit. Without this agreement there is no direct access the to single EU market. No agreement would make any PSD2 proposition between these two markets pretty useless.

You don’t benefit from transaction efficiency when you have more trading issues than before. It makes the correlation simple:

No trading agreement = no transactions = no relevance for PSD2 in the UK.

As the UK and EU are still in the early stages of negotiations, it runs down to a trading agreement to make PSD2 propositions for UK businesses valid.

Conclusion

PSD2 opens up banking data in a way that helps a lot of businesses to provide more efficient transaction options for online consumers. Consumers will have stronger protections and safer payment options to create more confidence on buying from merchants across the EU and beyond.

Third party providers will have the opportunity to step into the payments game and provide services to help businesses improve their transaction and payment funnels.

Still not sure how PSD2 will affect your business or the possible opportunities you’re missing out on? Send me a message if you have any questions.

Like this PSD2 article and think others can benefit from it? Do share it with your colleagues or business contacts.

Want to improve your product management?

Be the first to receive Melv1n's latest product management guides and tips.